We have detected that Javascript is not enabled in your browser. The dynamic nature of our site means that Javascript must be enabled to function properly.
Please read our terms and conditions for more information.

Melissa Test Questions

Melissa Test Questions

Question 1 of 181

What is the First Step required in preparing a computer for forensics investigation?

Select one of the following:

Secure any relevant media

Do not turn the computer off or on, run any programs, or attempt to access data on a computer

Suspend automated document destruction and recycling policies that may pertain to any
relevant media or users at Issue

Identify the type of data you are seeking, the Information you are looking for, and the urgency
level of the examination

Question 2 of 181

1

Network forensics can be defined as the sniffing, recording, acquisition and analysis of the
network traffic and event logs in order to investigate a network security incident.

Select one of the following:

True

False

Question 3 of 181

1

Which of the following commands shows you the names of all open shared files on a server and
number of file locks on each file?

Select one of the following:

Net sessions

Net file

Netconfig

Net share

Question 4 of 181

1

The Recycle Bin exists as a metaphor for throwing files away, but it also allows user to retrieve
and restore files. Once the file is moved to the recycle bin, a record is added to the log file that
exists in the Recycle Bin.Which of the following files contains records that correspond to each deleted file in the Recycle
Bin?

Select one of the following:

INFO1 file

INFO2 file

LOGINFO2 file

LOGINFO1 file

Question 5 of 181

1

Email archiving is a systematic approach to save and protect the data contained in emails so that
it can be accessed fast at a later date. There are two main archive types, namely Local Archive
and Server Storage Archive. Which of the following statements is correct while dealing with local
archives?

Select one of the following:

Server storage archives are the server information and settings stored on a local system
whereas the local archives are the local email client information stored on the mail server

Local archives should be stored together with the server storage archives in order to be
admissible in a court of law

Local archives do not have evidentiary value as the email client may alter the message data

It is difficult to deal with the webmail as there is no offline archive in most cases. So consult
your counsel on the case as to the best way to approach and gain access to the required data on
servers

Question 6 of 181

1

Which of the following email headers specifies an address for mailer-generated errors, like "no
such user" bounce messages, to go to (instead of the sender's address)?

Select one of the following:

Content-Transfer-Encoding header

Content-Type header

Mime-Version header

Errors-To header

Question 7 of 181

1

Which of the following commands shows you all of the network services running on Windowsbased
servers?

Select one of the following:

Net start

Net use

Net Session

Net share

Question 8 of 181

1

Email archiving is a systematic approach to save and protect the data contained in emails so that
it can tie easily accessed at a later date

Select one of the following:

True

False

Question 9 of 181

1

Windows Security Accounts Manager (SAM) is a registry file which stores passwords in a hashed
format. SAM file in Windows is located at:

Select one of the following:

C:\windows\system32\con\SAM

C:\windows\system32\config\SAM

C:\windows\system32\Boot\SAM

C:\windows\system32\drivers\SAM

Question 10 of 181

1

FAT32 is a 32-bit version of FAT file system using smaller clusters and results in efficient storage
capacity. What is the maximum drive size supported?

Select one of the following:

1 terabytes

2 terabytes

3 terabytes

4 terabytes

Question 11 of 181

1

In which step of the computer forensics investigation methodology would you run MD5 checksum
on the evidence?

Select one or more of the following:

Question 13 of 181

1

Determine the message length from following hex viewer record:

Select one of the following:

6E2F

13

27

810D

Question 14 of 181

1

TCP/IP (Transmission Control Protocol/Internet Protocol) is a communication protocol used to
connect different hosts in the Internet. It contains four layers, namely the network interface layer.
Internet layer, transport layer, and application layer. Which of the following protocols works under the transport layer of TCP/IP?

Select one of the following:

UDP

HTTP

FTP

SNMP

Question 15 of 181

1

Which of the following statements does not support the case assessment?

Select one of the following:

Do not document the chain of custody

Discuss whether other forensic processes need to be performed on the evidence

Identify the legal authority for the forensic examination request

Review the case investigator's request for service

Question 16 of 181

1

Wireless access control attacks aim to penetrate a network by evading WLAN access control
measures, such as AP MAC filters and Wi-Fi port access controls. Which of the following wireless access control attacks allows the attacker to set up a rogue access
point outside the corporate perimeter, and then lure the employees of the organization to connect
to it?

Select one of the following:

War driving

Rogue access points

MAC spoofing

Client mis-association

Question 17 of 181

1

File deletion is a way of removing a file from a computer's file system. What happens when a file is
deleted in windows7?

Select one of the following:

The last letter of a file name is replaced by a hex byte code E5h

The operating system marks the file's name in the MFT with a special character that indicates
that the file has been deleted

Corresponding clusters in FAT are marked as used

The computer looks at the clusters occupied by that file and does not avails space to store a
new file

Question 18 of 181

1

What is cold boot (hard boot)?

Select one of the following:

It is the process of starting a computer from a powered-down or off state

It is the process of restarting a computer that is already turned on through the operating system

It is the process of shutting down a computer from a powered-on or on state

It is the process of restarting a computer that is already in sleep mode

Question 19 of 181

1

When a file or folder is deleted, the complete path, including the original file name, is stored in a
special hidden file called "INF02" in the Recycled folder. If the INF02 file is deleted, it is re-created
when you___________.

Select one of the following:

Restart Windows

Kill the running processes in Windows task manager

Run the antivirus tool on the system

Run the anti-spyware tool on the system

Question 20 of 181

1

WPA2 provides enterprise and Wi-Fi users with stronger data protection and network access
control which of the following encryption algorithm is used DVWPA2?

Select one of the following:

RC4-CCMP

RC4-TKIP

AES-CCMP

AES-TKIP

Question 21 of 181

1

The disk in the disk drive rotates at high speed, and heads in the disk drive are used only to read
data.

Select one of the following:

True

False

Question 22 of 181

1

What is a bit-stream copy?

Select one of the following:

Bit-Stream Copy is a bit-by-bit copy of the original storage medium and exact copy of the
original disk

A bit-stream image is the file that contains the NTFS files and folders of all the data on a disk or
partition

A bit-stream image is the file that contains the FAT32 files and folders of all the data on a disk
or partition

Creating a bit-stream image transfers only non-deleted files from the original disk to the image
disk

Question 23 of 181

1

System software password cracking is defined as cracking the operating system and all other
utilities that enable a computer to function

Select one of the following:

True

False

Question 24 of 181

1

Which of the following Steganography techniques allows you to encode information that ensures
creation of cover for secret communication?

Select one of the following:

Substitution techniques

Transform domain techniques

Cover generation techniques

Spread spectrum techniques

Question 25 of 181

1

Ron. a computer forensics expert, Is Investigating a case involving corporate espionage. He has
recovered several mobile computing devices from the crime scene. One of the evidence that Ron
possesses is a mobile phone from Nokia that was left in on condition. Ron needs to recover the
IMEI number of the device to establish the identity of the device owner. Which of the following key
combinations he can use to recover the IMEI number?

Select one of the following:

#*06*#

*#06#

#06r

*1MEI#

Question 26 of 181

1

Who is responsible for the following tasks?
Secure the scene and ensure that it is maintained In a secure state until the Forensic Team
advises
Make notes about the scene that will eventually be handed over to the Forensic Team

Select one of the following:

Non-Laboratory Staff

System administrators

Local managers or other non-forensic staff

Lawyers

Question 27 of 181

1

system with a simple logging mechanism has not been given much attention during
development, this system is now being targeted by attackers, if the attacker wants to perform a
new line injection attack, what will he/she inject into the log file?

Select one of the following:

Plaintext

Single pipe character

Multiple pipe characters

HTML tags

Question 28 of 181

1

During the seizure of digital evidence, the suspect can be allowed touch the computer system.

Select one of the following:

True

False

Question 29 of 181

1

Which of the following password cracking techniques works like a dictionary attack, but adds some
numbers and symbols to the words from the dictionary and tries to crack the password?

Select one of the following:

Brute forcing attack

Hybrid attack

Syllable attack

Rule-based attack

Question 30 of 181

1

Consistency in the investigative report is more important than the exact format in the report to
eliminate uncertainty and confusion.

Select one of the following:

True

False

Question 31 of 181

1

When dealing with the powered-off computers at the crime scene, if the computer is switched off,
turn it on

Select one of the following:

True

False

Question 32 of 181

1

MAC filtering is a security access control methodology, where a ___________ is assigned to each
network card to determine access to the network

Select one of the following:

16-bit address

24-bit address

32-bit address

48-bit address

Question 33 of 181

1

You can interact with the Registry through intermediate programs. Graphical user interface (GUI)
Registry editors such as Regedit.exe or Regedt32 exe are commonly used as intermediate
programs in Windows 7. Which of the following is a root folder of the registry editor?

Select one of the following:

HKEY_USERS

HKEY_LOCAL_ADMIN

HKEY_CLASSES_ADMIN

HKEY_CLASSES_SYSTEM

Question 34 of 181

1

You have been given the task to investigate web attacks on a Windows-based server.
Which of the following commands will you use to look at which sessions the machine has opened
with other systems?

Select one of the following:

Net sessions

Net use

Net config

Net share

Question 35 of 181

1

What is a SCSI (Small Computer System Interface)?

Select one of the following:

A set of ANSI standard electronic interfaces that allow personal computers to communicate with
peripheral hardware such as disk drives, tape drives. CD-ROM drives, printers, and scanners

A standard electronic interface used between a computer motherboard's data paths or bus and
the computer's disk storage devices

A "plug-and-play" interface, which allows a device to be added without an adapter card and
without rebooting the computer

A point-to-point serial bi-directional interface for transmitting data between computer devices at
data rates of up to 4 Gbps

Question 36 of 181

1

The status of the network interface cards (NICs) connected to a system gives information about
whether the system is connected to a wireless access point and what IP address is being used. which command displays the network configuration of the NICs on the system?

Select one of the following:

ipconfig /all

netstat

net session

tasklist

Question 37 of 181

1

Which Is a Linux journaling file system?

Select one of the following:

Ext3

HFS

FAT

BFS

Question 38 of 181

1

Which of the following steganography types hides the secret message in a specifically designed
pattern on the document that is unclear to the average reader?

Select one of the following:

Open code steganography

Visual semagrams steganography

Text semagrams steganography

Technical steganography

Question 39 of 181

1

Web applications provide an Interface between end users and web servers through a set of webpages that are generated at the server-end or contain script code to be executed dynamically within the client Web browser.

Select one of the following:

True

False

Question 40 of 181

1

Jason, a renowned forensic investigator, is investigating a network attack that resulted in the
compromise of several systems in a reputed multinational's network. He started Wireshark to
capture the network traffic. Upon investigation, he found that the DNS packets travelling across
the network belonged to a non-company configured IP. Which of the following attack Jason can
infer from his findings?

Select one of the following:

DNS Poisoning

Cookie Poisoning Attack

DNS Redirection

Session poisoning

Question 41 of 181

1

Which table is used to convert huge word lists (i .e. dictionary files and brute-force lists) into
password hashes

Select one of the following:

Rainbow tables

Hash tables

Master file tables

Database tables

Question 42 of 181

1

Data acquisition system is a combination of tools or processes used to gather, analyze and record
Information about some phenomenon. Different data acquisition system are used depends on the
location, speed, cost. etc. Serial communication data acquisition system is used when the actual
location of the data is at some distance from the computer. Which of the following communication
standard is used in serial communication data acquisition system?

Select one of the following:

RS422

RS423

RS232

RS231

Question 43 of 181

1

Which of the following statements is incorrect when preserving digital evidence?

Select one of the following:

Document the actions and changes that you observe in the monitor, computer, printer, or in
other peripherals

Verily if the monitor is in on, off, or in sleep mode

Remove the power cable depending on the power state of the computer i.e., in on. off, or in
sleep mode

Turn on the computer and extract Windows event viewer log files

Question 44 of 181

1

Which of the following would you consider an aspect of organizational security, especially focusing
on IT security?

Select one of the following:

Biometric information security

Security from frauds

Application security

Information copyright security

Question 45 of 181

1

Which of the following approaches checks and compares all the fields systematically and
intentionally for positive and negative correlation with each other to determine the correlation
across one or multiple fields?

Select one of the following:

Graph-based approach

Neural network-based approach

Rule-based approach

Automated field correlation approach

Question 46 of 181

1

Log management includes all the processes and techniques used to collect, aggregate, and
analyze computer-generated log messages. It consists of the hardware, software, network and
media used to generate, transmit, store, analyze, and dispose of log data.

Select one of the following:

True

False

Question 47 of 181

1

Data files from original evidence should be used for forensics analysis

Select one of the following:

True

False

Question 48 of 181

1

Attackers can manipulate variables that reference files with "dot-dot-slash (./)" sequences and
their variations such as http://www.juggyDoy.corn/GET/process.php./././././././././etc/passwd.Identify the attack referred.

Select one of the following:

Directory traversal

SQL Injection

XSS attack

File injection

Question 49 of 181

1

The Electronic Serial Number (ESN) is a unique __________ recorded on a secure chip in a
mobile phone by the manufacturer.

Select one of the following:

16-bit identifier

24-bit identifier

32-bit identifier

64-bit identifier

Question 50 of 181

1

First response to an incident may involve three different groups of people, and each will have
differing skills and need to carry out differing tasks based on the incident. Who is responsible for
collecting, preserving, and packaging electronic evidence?

Select one of the following:

System administrators

Local managers or other non-forensic staff

Forensic laboratory staff

Lawyers

Question 51 of 181

1

Task list command displays a list of applications and services with their Process ID (PID) for all
tasks running on either a local or a remote computer.
Which of the following task list commands provides information about the listed processes,
including the image name, PID, name, and number of the session for the process?

Select one of the following:

tasklist/s

tasklist/u

tasklist/p

tasklist/v

Question 52 of 181

1

An expert witness is a witness, who by virtue of education, profession, or experience, is believed
to have special knowledge of his/her subject beyond that of the average person, sufficient that
others legally depend upon his/her opinion

Select one of the following:

True

False

Question 53 of 181

1

P0P3 (Post Office Protocol 3) is a standard protocol for receiving email that deletes mail on the
server as soon as the user downloads it. When a message arrives, the POP3 server appends it to
the bottom of the recipient's account file, which can be retrieved by the email client at any
preferred time. Email client connects to the POP3 server at _______________by default to fetch
emails.

Select one of the following:

The logon attempt was made with an unknown user name or a known user name with a bad
password

An attempt was made to log on with the user account outside of the allowed time

A logon attempt was made using a disabled account

Question 55 of 181

1

When collecting evidence from the RAM, where do you look for data?

Select one of the following:

Swap file

SAM file

Data file

Log file

Question 56 of 181

1

A rogue/unauthorized access point is one that Is not authorized for operation by a particular firm or
network

Select one of the following:

True

False

Question 57 of 181

1

Computer security logs contain information about the events occurring within an organization's
systems and networks. Application and Web server log files are useful in detecting web attacks.
The source, nature, and time of the attack can be determined by _________of the compromised
system.

Select one of the following:

Analyzing log files

Analyzing SAM file

Analyzing rainbow tables

Analyzing hard disk boot records

Question 58 of 181

1

Deposition enables opposing counsel to preview an expert witness's testimony at trial. Which of
the following deposition is not a standard practice?

Select one of the following:

Both attorneys are present

Only one attorneys is present

No jury or judge

Opposing counsel asks questions

Question 59 of 181

1

Deposition enables opposing counsel to preview an expert witness's testimony at trial. Which of
the following deposition is not a standard practice?

Select one of the following:

Both attorneys are present

Only one attorneys is present

No jury or judge

Opposing counsel asks questions

Question 60 of 181

1

If a file (readme.txt) on a hard disk has a size of 2600 bytes, how many sectors are normally
allocated to this file?

Select one of the following:

4 Sectors

5 Sectors

6 Sectors

7 Sectors

Question 61 of 181

1

Recovery of the deleted partition is the process by which the investigator evaluates and extracts
the deleted partitions.

Select one of the following:

True

False

Question 62 of 181

1

During first responder procedure you should follow all laws while collecting the evidence, and
contact a computer forensic examiner as soon as possible

Select one of the following:

True

False

Question 63 of 181

1

Which one of the following is not a consideration in a forensic readiness planning checklist?

Select one of the following:

Define the business states that need digital evidence

Identify the potential evidence available

Decide the procedure for securely collecting the evidence that meets the requirement in a
forensically sound manner

Take permission from all employees of the organization

Question 64 of 181

1

When collecting electronic evidence at the crime scene, the collection should proceed from the
most volatile to the least volatile

Select one of the following:

True

False

Question 65 of 181

1

What is a chain of custody?

Select one of the following:

A legal document that demonstrates the progression of evidence as it travels from the original
evidence location to the forensic laboratory

It is a search warrant that is required for seizing evidence at a crime scene

It Is a document that lists chain of windows process events

Chain of custody refers to obtaining preemptive court order to restrict further damage of
evidence in electronic seizures

Question 66 of 181

1

Data is striped at a byte level across multiple drives and parity information is distributed among all
member drives. What RAID level is represented here?

Select one of the following:

RAID Level0

RAID Level 1

RAID Level 3

RAID Level 5

Question 67 of 181

1

Computer forensics report provides detailed information on complete computer forensics
investigation process. It should explain how the incident occurred, provide technical details of the
incident and should be clear to understand. Which of the following attributes of a forensics report
can render it inadmissible in a court of law?

Select one of the following:

It includes metadata about the incident

It includes relevant extracts referred to In the report that support analysis or conclusions

It is based on logical assumptions about the incident timeline

It maintains a single document style throughout the text

Question 68 of 181

1

Email spoofing refers to:

Select one of the following:

The forgery of an email header so that the message appears to have originated from someone
or somewhere other than the actual source

The criminal act of sending an illegitimate email, falsely claiming to be from a legitimate site in
an attempt to acquire the user's personal or account information

Sending huge volumes of email to an address in an attempt to overflow the mailbox or
overwhelm the server where the email address Is hosted to cause a denial-of-service attack

A sudden spike of "Reply All" messages on an email distribution list, caused by one misdirected
message

Question 69 of 181

1

Volatile information can be easily modified or lost when the system is shut down or rebooted. It helps to determine a logical timeline of the security incident and the users who would be
responsible.

Select one of the following:

True

False

Question 70 of 181

1

A steganographic file system is a method to store the files in a way that encrypts and hides the
data without the knowledge of others

Select one of the following:

True

False

Question 71 of 181

1

Which device in a wireless local area network (WLAN) determines the next network point to which
a packet should be forwarded toward its destination?

Select one of the following:

Wireless router

Wireless modem

Antenna

Mobile station

Question 72 of 181

1

Data Acquisition is the process of imaging or otherwise obtaining information from a digital device
and its peripheral equipment and media

Select one of the following:

True

False

Question 73 of 181

1

LBA (Logical Block Address) addresses data by allotting a ___________to each sector of the hard
disk.

Select one of the following:

Sequential number

Index number

Operating system number

Sector number

Question 74 of 181

1

Buffer Overflow occurs when an application writes more data to a block of memory, or buffer, than
the buffer is allocated to hold. Buffer overflow attacks allow an attacker to modify the
_______________in order to control the process execution, crash the process and modify internal
variables.

Select one of the following:

Target process's address space

Target remote access

Target rainbow table

Target SAM file

Question 75 of 181

1

Physical security recommendations: There should be only one entrance to a forensics lab

Select one of the following:

True

False

Question 76 of 181

1

File signature analysis involves collecting information from the __________ of a file to determine
the type and function of the file

Select one of the following:

First 10 bytes

First 20 bytes

First 30 bytes

First 40 bytes

Question 77 of 181

1

You should always work with original evidence

Select one of the following:

True

False

Question 78 of 181

1

When a system is compromised, attackers often try to disable auditing, in Windows 7;
modifications to the audit policy are recorded as entries of Event ID____________.

Select one of the following:

4902

3902

4904

3904

Question 79 of 181

1

Which of the following network attacks refers to sending huge volumes of email to an address in
an attempt to overflow the mailbox, or overwhelm the server where the email address is hosted, to
cause a denial-of-service attack?

Select one of the following:

Email spamming

Mail bombing

Phishing

Email spoofing

Question 80 of 181

1

Which of the following file in Novel GroupWise stores information about user accounts?

Select one of the following:

ngwguard.db

gwcheck.db

PRIV.EDB

PRIV.STM

Question 81 of 181

1

Digital evidence is not fragile in nature

Select one of the following:

True

False

Question 82 of 181

1

Which of the following log injection attacks uses white space padding to create unusual log
entries?

Select one of the following:

Word wrap abuse attack

HTML injection attack

Terminal injection attack

Timestamp injection attack

Question 83 of 181

1

Which of the following is not correct when documenting an electronic crime scene?

Select one of the following:

Document the physical scene, such as the position of the mouse and the location of
components near the system

Document related electronic components that are difficult to find

Record the condition of the computer system, storage media, electronic devices and
conventional evidence, including power status of the computer

Write down the color of shirt and pant the suspect was wearing

Question 84 of 181

1

Under no circumstances should anyone, with the exception of qualified computer forensics
personnel, make any attempts to restore or recover information from a computer system or device
that holds electronic information.

Select one of the following:

Question 85 of 181

Select one of the following:

TCP

FTP

SMTP

POP

Question 86 of 181

1

An image is an artifact that reproduces the likeness of some subject. These are produced by
optical devices (i.e. cameras, mirrors, lenses, telescopes, and microscopes).
Which property of the image shows you the number of colors available for each pixel in an image?

Select one of the following:

Pixel

Bit Depth

File Formats

Image File Size

Question 87 of 181

1

Which of the following statements is incorrect related to acquiring electronic evidence at crime
scene?

Select one of the following:

Sample banners are used to record the system activities when used by the unauthorized user

In warning banners, organizations give clear and unequivocal notice to intruders that by signing onto the system they are expressly consenting to such monitoring

The equipment is seized which is connected to the case, knowing the role of the computer
which will indicate what should be taken

At the time of seizing process, you need to shut down the computer immediately

Question 88 of 181

1

Depending upon the Jurisdictional areas, different laws apply to different incidents. Which of the
following law is related to fraud and related activity in connection with computers?

Select one of the following:

18 USC 7029

18 USC 7030

18 USC 7361

18 USC 7371

Question 89 of 181

1

Which of the following is not a part of the technical specification of the laboratory-based imaging
system?

Select one of the following:

High performance workstation PC

Remote preview and imaging pod

Anti-repudiation techniques

very low image capture rate

Question 90 of 181

1

Which of the following is not a part of data acquisition forensics Investigation?

Select one of the following:

Permit only authorized personnel to access

Protect the evidence from extremes in temperature

Work on the original storage medium not on the duplicated copy

Disable all remote access to the system

Question 91 of 181

1

At the time of evidence transfer, both sender and receiver need to give the information about date
and time of transfer in the chain of custody record

Select one of the following:

True

False

Question 92 of 181

1

Digital photography helps in correcting the perspective of the Image which Is used In taking the
measurements of the evidence. Snapshots of the evidence and incident-prone areas need to be
taken to help in the forensic process. Is digital photography accepted as evidence in the court of
law?

Select one of the following:

True

False

Question 93 of 181

1

Computer security logs contain information about the events occurring within an organization's
systems and networks. Which of the following security logs contains Logs of network and hostbased
security software?

Select one of the following:

Operating System (OS) logs

Application logs

Security software logs

Audit logs

Question 94 of 181

1

What is the "Best Evidence Rule"?

Select one of the following:

It states that the court only allows the original evidence of a document, photograph, or
recording at the trial rather than a copy

It contains information such as open network connection, user logout, programs that reside in
memory, and cache data

Question 95 of 181

1

SIM is a removable component that contains essential information about the subscriber. It has
both volatile and non-volatile memory. The file system of a SIM resides in _____________
memory.

Select one of the following:

Volatile

Non-volatile

Question 96 of 181

1

Which of the following passwords are sent over the wire (and wireless) network, or stored on some
media as it is typed without any alteration?

Select one of the following:

Clear text passwords

Obfuscated passwords

Hashed passwords

Hex passwords

Question 97 of 181

1

In Windows 7 system files, which file reads the Boot.ini file and loads Ntoskrnl.exe. Bootvid.dll.
Hal.dll, and boot-start device drivers?

Select one of the following:

Ntldr

Gdi32.dll

Kernel32.dll

Boot.in

Question 98 of 181

1

Networks are vulnerable to an attack which occurs due to overextension of bandwidth,
bottlenecks, network data interception, etc.
Which of the following network attacks refers to a process in which an attacker changes his or her
IP address so that he or she appears to be someone else?

Select one of the following:

IP address spoofing

Man-in-the-middle attack

Denial of Service attack

Session sniffing

Question 99 of 181

1

In an echo data hiding technique, the secret message is embedded into a __________as an echo.

Select one of the following:

Cover audio signal

Phase spectrum of a digital signal

Pseudo-random signal

Pseudo- spectrum signal

Question 100 of 181

1

Attacker uses vulnerabilities in the authentication or session management functions such as
exposed accounts, session IDs, logout, password management, timeouts, remember me. secret
question, account update etc. to impersonate users, if a user simply closes the browser without
logging out from sites accessed through a public computer, attacker can use the same browser
later and exploit the user's privileges. Which of the following vulnerability/exploitation is referred
above?

Select one of the following:

Session ID in URLs

Timeout Exploitation

I/O exploitation

Password Exploitation

Question 101 of 181

1

An Internet standard protocol (built on top of TCP/IP) that assures accurate synchronization to the
millisecond of computer clock times in a network of computers. Which of the following statement is
true for NTP Stratum Levels?

Select one of the following:

Stratum-0 servers are used on the network; they are not directly connected to computers which
then operate as stratum-1 servers

Stratum-1 time server is linked over a network path to a reliable source of UTC time such as GPS, WWV, or CDMA transmissions

A stratum-2 server is directly linked (not over a network path) to a reliable source of UTC time
such as GPS, WWV, or CDMA transmissions

A stratum-3 server gets its time over a network link, via NTP, from a stratum-2 server, and so
on

Question 102 of 181

1

Which is not a part of environmental conditions of a forensics lab?

Select one of the following:

Large dimensions of the room

Good cooling system to overcome excess heat generated by the work station

Allocation of workstations as per the room dimensions

Open windows facing the public road

Question 103 of 181

1

Graphics Interchange Format (GIF) is a ___________RGB bitmap Image format for Images with
up to 256 distinct colors per frame

Select one of the following:

8-bit

16-bit

24-bit

32-bit

Question 104 of 181

1

Cyber-crime is defined as any Illegal act involving a gun, ammunition, or its applications.

Select one of the following:

True

False

Question 105 of 181

1

In what circumstances would you conduct searches without a warrant?

Select one of the following:

When destruction of evidence is imminent, a warrantless seizure of that evidence is justified if
there is probable cause to believe that the item seized constitutes evidence of criminal activity

Agents may search a place or object without a warrant if he suspect the crime was committed

A search warrant is not required if the crime involves Denial-Of-Service attack over the Internet

Law enforcement agencies located in California under section SB 567 are authorized to seize
computers without warrant under all circumstances

Question 106 of 181

1

A computer forensic report is a report which provides detailed information on the complete
forensics investigation process.

Select one of the following:

True

False

Question 107 of 181

1

Data compression involves encoding the data to take up less storage space and less bandwidth
for transmission. It helps in saving cost and high data manipulation in many business applications.
Which data compression technique maintains data integrity?

Select one of the following:

Lossless compression

Lossy compression

Speech encoding compression

Lossy video compression

Question 108 of 181

1

First responder is a person who arrives first at the crime scene and accesses the victim's
computer system after the incident. He or She is responsible for protecting, integrating, and
preserving the evidence obtained from the crime scene.
Which of the following is not a role of first responder?

Select one of the following:

Identify and analyze the crime scene

Protect and secure the crime scene

Package and transport the electronic evidence to forensics lab

Prosecute the suspect in court of law

Question 109 of 181

1

Hash injection attack allows attackers to inject a compromised hash into a local session and use
the hash to validate network resources.

Select one of the following:

True

False

Question 110 of 181

1

Smith, as a part his forensic investigation assignment, has seized a mobile device. He was asked to recover the Subscriber Identity Module (SIM card) data the mobile device. Smith found that the
SIM was protected by a Personal identification Number (PIN) code but he was also aware that
people generally leave the PIN numbers to the defaults or use easily guessable numbers such as
1234. He unsuccessfully tried three PIN numbers that blocked the SIM card. What Jason can do in
this scenario to reset the PIN and access SIM data

Select one of the following:

He should contact the device manufacturer for a Temporary Unlock Code (TUK) to gain access
to the SIM

He cannot access the SIM data in this scenario as the network operators or device
manufacturers have no idea about a device PIN

He should again attempt PIN guesses after a time of 24 hours

He should ask the network operator for Personal Unlock Number (PUK) to gain access to the
SIM

Question 111 of 181

1

Centralized logging is defined as gathering the computer system logs for a group of systems in a
centralized location. It is used to efficiently monitor computer system logs with the frequency
required to detect security violations and unusual activity

Select one of the following:

True

False

Question 112 of 181

1

Centralized logging is defined as gathering the computer system logs for a group of systems in a
centralized location. It is used to efficiently monitor computer system logs with the frequency
required to detect security violations and unusual activity.

Select one of the following:

True

False

Question 113 of 181

1

A swap file is a space on a hard disk used as the virtual memory extension of a computer's RAM.
Where is the hidden swap file in Windows located?

Select one of the following:

C:\pagefile.sys

C:\hiberfil.sys

C:\config.sys

C:\ALCSetup.log

Question 114 of 181

1

Which of the following reports are delivered under oath to a board of directors/managers/panel of
jury?

Select one of the following:

Written informal Report

Verbal Formal Report

Written Formal Report

Verbal Informal Report

Question 115 of 181

1

Dumpster Diving refers to:

Select one of the following:

Searching for sensitive information in the user's trash bins and printer trash bins, and searching
the user's desk for sticky notes

Looking at either the user's keyboard or screen while he/she is logging in

Convincing people to reveal the confidential information

Creating a set of dictionary words and names, and trying all the possible combinations to crack
the password

Question 116 of 181

1

if the partition size Is 4 GB, each cluster will be 32 K. Even If a file needs only 10 K, the entire 32
K will be allocated, resulting In 22 K of

Select one of the following:

Slack space

Deleted space

Cluster space

Sector space

Question 117 of 181

1

Which of the following Wi-Fi chalking methods refers to drawing symbols in public places to
advertise open Wi-Fi networks

Select one of the following:

WarWalking

WarFlying

WarChalking

WarDhving

Question 118 of 181

1

Steganography is a technique of hiding a secret message within an ordinary message and
extracting it at the destination to maintain the confidentiality of data.

Select one of the following:

True

False

Question 119 of 181

1

Identify the attack from following sequence of actions?
Step 1: A user logs in to a trusted site and creates a new session
Step 2: The trusted site stores a session identifier for the session in a cookie in the web browser
Step 3: The user is tricked to visit a malicious site
Step 4: the malicious site sends a request from the user's browser using his session cookie

Select one of the following:

Web Application Denial-of-Service (DoS) Attack

Cross-Site Scripting (XSS) Attacks

Cross-Site Request Forgery (CSRF) Attack

Hidden Field Manipulation Attack

Question 120 of 181

1

Router log files provide detailed Information about the network traffic on the Internet. It gives
information about the attacks to and from the networks. The router stores log files in
the____________.

Select one of the following:

Router cache

Application logs

IDS logs

Audit logs

Question 121 of 181

1

The Recycle Bin is located on the Windows desktop. When you delete an item from the hard disk,
Windows sends that deleted item to the Recycle Bin and the icon changes to full from empty, but
items deleted from removable media, such as a floppy disk or network drive, are not stored in the
Recycle Bin.
What is the size limit for Recycle Bin in Vista and later versions of the Windows?

Select one of the following:

No size limit

Maximum of 3.99 GB

Maximum of 4.99 GB

Maximum of 5.99 GB

Question 122 of 181

1

Which of the following is not an example of a cyber-crime?

Select one of the following:

Fraud achieved by the manipulation of the computer records

Firing an employee for misconduct

Deliberate circumvention of the computer security systems

Intellectual property theft, including software piracy

Question 123 of 181

1

Files stored in the Recycle Bin in its physical location are renamed as Dxy.ext, where, “X”
represents the _________.

Select one of the following:

Drive name

Sequential number

Original file name's extension

Original file name

Question 124 of 181

1

Which of the following statement is not correct when dealing with a powered-on computer at the
crime scene?

Select one of the following:

If a computer is switched on and the screen is viewable, record the programs running on screen
and photograph the screen

If a computer is on and the monitor shows some picture or screen saver, move the mouse
slowly without depressing any mouse button and take a photograph of the screen and record the
information displayed

If a monitor is powered on and the display is blank, move the mouse slowly without depressing
any mouse button and take a photograph

If the computer is switched off. power on the computer to take screenshot of the desktop

Question 125 of 181

1

Tracks numbering on a hard disk begins at 0 from the outer edge and moves towards the center,
typically reaching a value of ___________.

Select one of the following:

1023

1020

1024

2023

Question 126 of 181

1

Event correlation is a procedure that is assigned with a new meaning for a set of events that occur
in a predefined interval of time.
Which type of correlation will you use if your organization wants to use different OS and network
hardware platforms throughout the network?

Select one of the following:

Same-platform correlation

Cross-platform correlation

Multiple-platform correlation

Network-platform correlation

Question 127 of 181

1

Which root folder (hive) of registry editor contains a vast array of configuration information for the
system, including hardware settings and software settings?

Select one of the following:

HKEY_USERS

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY-CURRENT_CONFIG

Question 128 of 181

1

Hard disk data addressing is a method of allotting addresses to each ___________of data on a
hard disk

Select one of the following:

Physical block

Logical block

Operating system block

Hard disk block

Question 129 of 181

1

How do you define forensic computing?

Select one of the following:

It is the science of capturing, processing, and investigating data security incidents and making it
acceptable to a court of law.

It is a methodology of guidelines that deals with the process of cyber investigation

It Is a preliminary and mandatory course necessary to pursue and understand fundamental
principles of ethical hacking

It is the administrative and legal proceeding in the process of forensic investigation

Question 130 of 181

1

What is the smallest allocation unit of a hard disk?

Select one of the following:

Cluster

Spinning tracks

Disk platters

Slack space

Question 131 of 181

1

Which one of the following statements is not correct while preparing for testimony?

Select one of the following:

Go through the documentation thoroughly

Do not determine the basic facts of the case before beginning and examining the evidence

Establish early communication with the attorney

Substantiate the findings with documentation and by collaborating with other computer
forensics professionals

Question 132 of 181

1

Which of the following statements is not a part of securing and evaluating electronic crime scene
checklist

Select one of the following:

Locate and help the victim

Transmit additional flash messages to other responding units

Request additional help at the scene if needed

Blog about the incident on the internet

Question 133 of 181

1

The Apache server saves diagnostic information and error messages that it encounters while
processing requests. The default path of this file is usr/local/apache/logs/error.log in Linux. Identify
the Apache error log from the following logs.

Question 134 of 181

1

Operating System logs are most beneficial for Identifying or Investigating suspicious activities
involving a particular host. Which of the following Operating System logs contains information
about operational actions performed by OS components

Select one of the following:

Event logs

Audit logs

Firewall logs

IDS logs

Question 135 of 181

1

A mobile operating system manages communication between the mobile device and other
compatible devices like computers, televisions, or printers. Which mobile operating system architecture is represented here

Select one of the following:

webOS System Architecture

Symbian OS Architecture

Android OS Architecture

Windows Phone 7 Architecture

Question 136 of 181

1

All the Information about the user activity on the network, like details about login and logoff
attempts, is collected in the security log of the computer. When a user's login is successful,
successful audits generate an entry whereas unsuccessful audits generate an entry for failed login
attempts in the logon event ID table.
In the logon event ID table, which event ID entry (number) represents a successful logging on to a
computer?

Select one of the following:

528

529

530

531

Question 137 of 181

1

What is the first step that needs to be carried out to investigate wireless attacks?

Select one of the following:

Obtain a search warrant

Identify wireless devices at crime scene

Document the scene and maintain a chain of custody

Detect the wireless connections

Question 138 of 181

1

Which of the following commands shows you the username and IP address used to access the
system via a remote login session and the Type of client from which they are accessing the
system

Select one of the following:

Net sessions

Net file

Net config

Net share

Question 139 of 181

1

SMTP (Simple Mail Transfer protocol) receives outgoing mail from clients and validates source
and destination addresses, and also sends and receives emails to and from other SMTP servers.

Select one of the following:

True

False

Question 140 of 181

1

Which of the following commands shows you the username and IP address used to access the
system via a remote login session and the Type of client from which they are accessing the
system?

Select one of the following:

Net sessions

Net file

Net config

Net share

Question 141 of 181

1

SMTP (Simple Mail Transfer protocol) receives outgoing mail from clients and validates source
and destination addresses, and also sends and receives emails to and from other SMTP servers.

Select one of the following:

True

False

Question 142 of 181

1

Why is it Important to consider health and safety factors in the work carried out at all stages of the
forensic process conducted by the forensic analysts?

Select one of the following:

This is to protect the staff and preserve any fingerprints that may need to be recovered at a
later date

All forensic teams should wear protective latex gloves which makes them look professional and
cool

Local law enforcement agencies compel them to wear latest gloves

It is a part of ANSI 346 forensics standard

Question 143 of 181

1

When NTFS Is formatted, the format program assigns the __________ sectors to the boot sectors
and to the bootstrap code

Select one of the following:

First 12

First 16

First 22

First 24

Question 144 of 181

1

What is the goal of forensic science?

Select one of the following:

To determine the evidential value of the crime scene and related evidence

Mitigate the effects of the information security breach

Save the good will of the investigating organization

It is a disciple to deal with the legal processes

Question 145 of 181

1

Smith, an employee of a reputed forensic Investigation firm, has been hired by a private
organization to investigate a laptop that is suspected to be involved in hacking of organization DC
server. Smith wants to find all the values typed into the Run box in the Start menu. Which of the
following registry key Smith will check to find the above information?

Select one of the following:

UserAssist Key

MountedDevices key

RunMRU key

TypedURLs key

Question 146 of 181

1

Shortcuts are the files with the extension .Ink that are created and are accessed by the users.
These files provide you with information about:

Select one of the following:

Files or network shares

Running application

Application logs

System logs

Question 147 of 181

1

When the operating system marks cluster as used, but does not allocate them to any file, such
clusters are known as ___________

Select one of the following:

Lost clusters

Bad clusters

Empty clusters

Unused clusters

Question 148 of 181

1

Quality of a raster Image is determined by the _________________and the amount of information
in each pixel

Select one of the following:

Total number of pixels

image file format

Compression method

Image file size

Question 149 of 181

1

What is the first step that needs to be carried out to crack the password?

Select one of the following:

A word list is created using a dictionary generator program or dictionaries

The list of dictionary words is hashed or encrypted

The hashed wordlist is compared against the target hashed password, generally one word at a
time

If it matches, that password has been cracked and the password cracker displays the
unencrypted version of the password

Question 150 of 181

1

Which wireless standard has bandwidth up to 54 Mbps and signals in a regulated frequency
spectrum around 5 GHz?

Select one of the following:

802.11a

802.11b

802.11g

802.11i

Question 151 of 181

1

According to US federal rules, to present a testimony in a court of law, an expert witness needs to
furnish certain information to prove his eligibility. Jason, a qualified computer forensic expert who
has started practicing two years back, was denied an expert testimony in a computer crime case
by the US Court of Appeals for the Fourth Circuit in Richmond, Virginia. Considering the US
federal rules, what could be the most appropriate reason for the court to reject Jason's eligibility as
an expert witness?

Select one of the following:

Jason was unable to furnish documents showing four years of previous experience in the field

Being a computer forensic expert, Jason is not eligible to present testimony in a computer crime
case

Jason was unable to furnish documents to prove that he is a computer forensic expert

Jason was not aware of legal issues involved with computer crimes

Question 152 of 181

1

Ever-changing advancement or mobile devices increases the complexity of mobile device
examinations. Which or the following is an appropriate action for the mobile forensic investigation?

Select one of the following:

To avoid unwanted interaction with devices found on the scene, turn on any wireless interfaces
such as Bluetooth and Wi-Fi radios

Do not wear gloves while handling cell phone evidence to maintain integrity of physical
evidence

If the device's display is ON. the screen's contents should be photographed and, if necessary,
recorded manually, capturing the time, service status, battery level, and other displayed icons

If the phone is in a cradle or connected to a PC with a cable, then unplug the device from the
computer

Question 153 of 181

1

What is static executable file analysis?

Select one of the following:

It is a process that consists of collecting information about and from an executable file without
actually launching the file under any circumstances

It is a process that consists of collecting information about and from an executable file by
launching the file under any circumstances

It is a process that consists of collecting information about and from an executable file without
actually launching an executable file in a controlled and monitored environment

It is a process that consists of collecting information about and from an executable file by
launching an executable file in a controlled and monitored environment

Question 154 of 181

1

The need for computer forensics is highlighted by an exponential increase in the number of
cybercrimes and litigations where large organizations were involved. Computer forensics plays an
important role in tracking the cyber criminals. The main role of computer forensics is to:

Select one of the following:

Maximize the investigative potential by maximizing the costs

Harden organization perimeter security

Document monitoring processes of employees of the organization

Extract, process, and interpret the factual evidence so that it proves the attacker's actions in the
court

Question 155 of 181

1

Mobile phone forensics is the science of recovering digital evidence from a mobile phone under
forensically sound conditions.

Select one of the following:

True

False

Question 156 of 181

1

An attack vector is a path or means by which an attacker can gain access to computer or network
resources in order to deliver an attack payload or cause a malicious outcome.

Select one of the following:

True

False

Question 157 of 181

1

How do you define Technical Steganography?

Select one of the following:

Steganography that uses physical or chemical means to hide the existence of a message

Steganography that utilizes written natural language to hide the message in the carrier in some
non-obvious ways

Steganography that utilizes written JAVA language to hide the message in the carrier in some
non-obvious ways

Question 158 of 181

Which of the following is not a part of disk imaging tool requirements?

Select one of the following:

The tool should not change the original content

The tool should log I/O errors in an accessible and readable form, including the type and
location of the error

The tool must have the ability to be held up to scientific and peer review

The tool should not compute a hash value for the complete bit stream copy generated from an
image file of the source

Question 159 of 181

1

A forensic investigator is a person who handles the complete Investigation process, that is, the
preservation, identification, extraction, and documentation of the evidence. The investigator has
many roles and responsibilities relating to the cybercrime analysis. The role of the forensic
investigator is to:

Select one of the following:

Take permission from all employees of the organization for investigation

Harden organization network security

Create an image backup of the original evidence without tampering with potential evidence

Keep the evidence a highly confidential and hide the evidence from law enforcement agencies

Question 160 of 181

1

What document does the screenshot represent?

Select one of the following:

Chain of custody form

Search warrant form

Evidence collection form

Expert witness form

Question 161 of 181

1

Which of the following standard is based on a legal precedent regarding the admissibility of
scientific examinations or experiments in legal cases?

Select one of the following:

Question 163 of 181

Billy, a computer forensics expert, has recovered a large number of DBX files during forensic investigation of a laptop. Which of the following email clients he can use to analyze the DBX files?

Select one of the following:

Microsoft Outlook

Microsoft Outlook Express

Mozilla Thunderoird

Eudora

Question 164 of 181

1

Which of the following is the certifying body of forensics labs that investigate criminal cases by
analyzing evidence?

Select one of the following:

The American Society of Crime Laboratory Directors (ASCLD)

International Society of Forensics Laboratory (ISFL)

The American Forensics Laboratory Society (AFLS)

The American Forensics Laboratory for Computer Forensics (AFLCF)

Question 165 of 181

1

Which of the following attacks allows an attacker to access restricted directories, including
application source code, configuration and critical system files, and to execute commands outside
of the web server's root directory?

Select one of the following:

Question 166 of 181

Select one of the following:

Simple sequential flat files

Segmented files

Compressed image files

Segmented image files

Question 167 of 181

1

JPEG is a commonly used method of compressing photographic Images. It uses a compression
algorithm to minimize the size of the natural image, without affecting the quality of the image. The
JPEG lossy algorithm divides the image in separate blocks of____________.

Select one of the following:

4x4 pixels

8x8 pixels

16x16 pixels

32x32 pixels

Question 168 of 181

1

Which of the following attacks allows attacker to acquire access to the communication channels
between the victim and server to extract the information?

Select one of the following:

Man-in-the-middle (MITM) attack

Replay attack

Rainbow attack

Distributed network attack

Question 169 of 181

1

Injection flaws are web application vulnerabilities that allow untrusted data to be Interpreted and
executed as part of a command or query. Attackers exploit injection flaws by constructing
malicious commands or queries that result in data loss or corruption, lack of accountability, or
denial of access. Which of the following injection flaws involves the injection of malicious code
through a web application?

Select one of the following:

SQL Injection

password brute force

Nmap Scanning

Footprinting

Question 170 of 181

1

What is a first sector ("sector zero") of a hard disk?

Select one of the following:

Master boot record

System boot record

Secondary boot record

Hard disk boot record

Question 171 of 181

1

Microsoft Security IDs are available in Windows Registry Editor. The path to locate IDs in
Windows 7 is:

Question 172 of 181

1

Netstat is a tool for collecting Information regarding network connections. It provides a simple view
of TCP and UDP connections, and their state and network traffic statistics.
Which of the following commands shows you the TCP and UDP network connections, listening
ports, and the identifiers?

Select one of the following:

netstat ?ano

netstat ?b

netstat ?r

netstat ?s

Question 173 of 181

1

International Mobile Equipment Identifier (IMEI) is a 15-dlgit number that indicates the
manufacturer, model type, and country of approval for GSM devices. The first eight digits of an
IMEI number that provide information about the model and origin of the mobile device is also
known as:

Select one of the following:

W3SVC2

4210

3524

100

Question 175 of 181

1

The evolution of web services and their increasing use in business offers new attack vectors in an
application framework. Web services are based on XML protocols such as web Services Definition
Language (WSDL) for describing the connection points, Universal Description, Discovery, and
Integration (UDDI) for the description and discovery of Web services and Simple Object Access
Protocol (SOAP) for communication between Web services that are vulnerable to various web
application threats. Which of the following layer in web services stack is vulnerable to fault code
leaks?

Select one of the following:

Presentation Layer

Security Layer

Discovery Layer

Access Layer

Question 176 of 181

1

A mobile operating system is the operating system that operates a mobile device like a mobile
phone, smartphone, PDA, etc. It determines the functions and features available on mobile
devices such as keyboards, applications, email, text messaging, etc. Which of the following mobile
operating systems is free and open source?

Select one of the following:

Web OS

Android

Apple IOS

Symbian OS

Question 177 of 181

1

Digital evidence validation involves using a hashing algorithm utility to create a binary or
hexadecimal number that represents the uniqueness of a data set, such as a disk drive or file.
Which of the following hash algorithms produces a message digest that is 128 bits long?

Select one of the following:

CRC-32

MD5

SHA-1

SHA-512

Question 178 of 181

1

An intrusion detection system (IDS) gathers and analyzes information from within a computer or a
network to identify any possible violations of security policy, including unauthorized access, as well
as misuse.
Which of the following intrusion detection systems audit events that occur on a specific host?

Select one of the following:

Question 180 of 181

1

Damaged portions of a disk on which no read/Write operation can be performed is known as

Select one of the following:

Lost sector

Bad sector

Empty sector

Unused sector

Question 181 of 181

1

BMP (Bitmap) is a standard file format for computers running the Windows operating system. BMP
images can range from black and white (1 bit per pixel) up to 24 bit color (16.7 million colors).
Each bitmap file contains header, the RGBQUAD array, information header, and image data.
Which of the following element specifies the dimensions, compression type, and color format for
the bitmap?